Why phishing attacks are increasingly targeting the public sector (and what you can do about it)

By Sam Hutton

Oct 20, 2017

One need only look at the news to know cyberattackers are targeting government with renewed vigor. The massive 2015 breach of the Office of Personnel Management and reported hacks into the Democratic National Committee emails all dramatically underscore the fact that government and political organizations are a large and rapidly growing target for political hacktivism and cyber espionage.

But while cyberattacks on the largest agencies have received the lion’s share of the headlines, cybercriminals are also putting rejuvenated effort into attacks against smaller, lesser known public-sector agencies. While clearly not as sensational as the OPM hack, attacks against the Kansas Commerce Department, which leaked millions of Social Security numbers across 10 states, and against the Oklahoma Office of Management and Enterprise Services, compromising the personal information of more than 430,000 people in that state, have had a dramatic and far-reaching impact on public-sector security.

Perhaps surprisingly, these lower-profile attacks are garnering cybercriminals lucrative returns. And here’s why -- by targeting the low-hanging fruit in the commercial space they can eventually reach their desired targets. Initially, hackers interact with the supply chain or whatever “weak link” gets them in the door of larger organizations where they can then access a bounty of sensitive data.

Attackers take a similar approach with government agencies, targeting smaller organizations that typically lack adequate security defenses and are deemed easy targets. These vulnerable, smaller government organizations also house an abundance of personal citizen data, including Social Security information and tax returns. While valuable on its own, this kind of highly sensitive user information opens the door for bigger, more sophisticated and expansive attacks that could lead to even more lucrative returns. Consequently, attackers see less reason to go after the highly defended Defense Department, when attacking a smaller agency can give them just as big a bang for their buck.

Phishing for targets: Infiltrating the government network

While it might be surprising in light of the sophisticated security landscape, today’s cyberattackers are still relying on age-old phishing attacks to infiltrate government networks. Government agencies, particularly small ones, often lack adequate email security defenses designed to combat increasingly stealthy threats. All too often, antivirus software -- a cornerstone of most small agencies' security infrastructure -- won’t even recognize the latest cyberthreats.

Meanwhile, despite the fact that malicious attachments are the primary cause of network compromise, file-based malware largely remains an enigma to most public-sector organizations. Less than two percent of malicious PDFs contain "just" an embedded file, while around 40 percent of Excel and 27 percent of Word malware have no macro or embedded file. This means that organizations that attempt to identify macros as their primary phishing attack defense strategy can easily miss malware in related attachments. All it takes is a click on one malware-bearing file for the attacker to successfully get in the door to compromise an entire government or public-sector network.

What’s more, phishing attacks have been proved effective time and time again because employees repeatedly fall victim to them. According to Glasswall research, the vast majority (82 percent) of employees open email attachments if they appear to be from a known contact, despite learning about sophisticated social engineering attacks from their security training. Of those, 44 percent opened these email attachments every time they received one.

These days, it’s easier than ever for attackers to acquire personal details of government employees. A simple social media search can uncover location, employment information and other personal interests. These details in turn can be leveraged with other types of data found in documents containing personally identifying information on government websites. From there, attackers use the combined information to craft an email that appears to be from a friend or colleague, often addressing the user with a subject that appears to have immediate relevance or requires action.

Criminals then hide malicious code -- such as a macro or JavaScript -- in the structure of what appears to be a common Office document or an attached functional element, which is accompanied by a socially engineered email designed to trick employees into clicking or downloading. Government employees who aren’t trained in email security best practices will often automatically open on the infected attachment, unintentionally downloading malware that can compromise the entire network and steal valuable data.

Even those employees who have been trained in network security become victims. Unlike phishing attacks in years prior, today's social engineering is so sophisticated that it can often successfully deceive even the savviest of security experts.

Bolstering the government security arsenal

Like many industries, the public sector is having a tough time protecting itself from phishing attacks. And perhaps one of the most significant challenges agencies face is that their approved legacy security infrastructure is becoming alarmingly less effective at combatting advanced threats.

Email security solutions, in particular, have become less effective over time. Initially created to identify and reduce spam, they still leave many organizations susceptible to more malicious attacks, such as ransomware, botnets, viral worms and information-stealing Trojans.

One of the reasons for these diminished returns is that most of solutions on the market are reactive – that is, based on detection of malicious code. The result is that they often unable to defend against an attack that doesn’t meet predefined parameters.

There are a few tactics that government agencies can take to reduce the likelihood of a devastating phishing attack.

Update email security policies to conform with current advanced threats, and hold regular training for employees on email security best practices, including being able to identify phishing emails and applying caution when clicking on unsolicited attachments. Among other things, routine training keeps email security top of mind for employees and creates an environment of awareness and information sharing that can be a strong first defense against phishing.

Invest in next-generation technologies, such as file-regeneration solutions, that will provide adequate defense against corrupted email documents leveraged in phishing attacks.

At its core, an automated file regeneration solution can disarm malicious files, producing a benign version referenced against the manufacturer’s original standard, and check it down to byte level, as opposed to just looking for active content in the body of the document. From there, the sanitized file is regenerated and passed on to users in real time, without the user even knowing. The technology protects organizations against the smallest alterations in file structure, detecting, for example, where criminals have altered just a few bytes in a PDF file to crash the reader software, launch malware or trigger hidden exploits.

Overcome apathy toward growing email threats targeting government networks. Despite the number of high-profile breaches occurring regularly in government agencies, many IT managers are still complacent about security, relying on outdated antivirus and perimeter solutions that fail to address where most of threats are hidden -- in file-based malware delivered in email attachments.

The public sector has no shortage of obstacles to overcome: dwindling budgets, rapidly evolving malware, lagging patch policies and slow software updates. But if history is any indication, it’s a safe bet that criminals will continue to go after the targets that provide the biggest returns. That means they will forego targeting a highly protected organization and attack smaller and less security-minded agencies with critical data that give them an inroad to larger networks. Taking the right steps to increase awareness and invest in the right defenses will go a long way to reducing the risk of a devastating attack that is almost sure to come down the road.